48 million people put at risk after firm that scraped info from social networks left it exposed for anyone to download

April 19, 2018

3 Min Read

Chances are that you’ve never heard of Washington-based data firm LocalBlox. But that doesn’t mean that they haven’t heard of you. And it doesn’t mean that your personal information hasn’t been recklessly exposed through their sloppy disregard for the most basic security.

As Zack Whittaker of ZDNetreports, Localblox scooped up information from the personal profiles of some 48 million users of social networks like Facebook, LinkedIn, Twitter, and real-estate site Zillow without their consent.

The data LocalBlox collated included names, email addresses, dates of birth, postal addresses, and even – in some cases – individuals’ net worth.

LocalBlox then consolidated that sensitive information into a single unencrypted file over 1.2 terabytes in size, and placed it on an Amazon S3 bucket.

If you’ve been following pastdata breaches you can probably guess the worst part of this story – you didn’t need a password to access LocalBlox’s Amazon S3 bucket, meaning anybody in the world could download the data.

The massive lapse was discovered by security researcher Chris Vickery who has made quite a name for himself in recent years discovering a wide array of organisations pouring data onto the public web because they have failed to properly configure their cloud storage systems.

Thankfully Vickery is a responsible researcher, who informed LocalBlox’s CTO Ashfaq Rahman of the problem – and the data was properly secured just a few hours later. But we simply don’t know how long the data was available for anyone to download beforehand.

LocalBlox makes no secret of how it collects and consolidates data about individuals. Its own website explains how it “automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks… LocalBlox helps companies acquire and utilize a vast amount of information from sources held captive on the web with exceptional speed and scale.”

I cannot confirm if LocalBlox does demonstrate “exceptional speed and scale”, but I’m pretty certain from this incident that it falls down when it comes to security.

The fact is that little-known companies like LocalBlox wouldn’t be able to grab your data if you were more careful about what you shared online, and ensured that proper privacy settings were in place to prevent public access to the most sensitive information on your profiles.

And LocalBlox, and other firms like it, wouldn’t find themselves the centre of unwanted attention if it took the time to take even the most elementary steps to protect the data it controversially collects.

If proper care isn’t taken it won’t be ethical researchers like Chris Vickery who stumble across your unsecured data, it might be malicious hackers.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.